Home
Projects
Tools
Articles/Thoughts
Related Links
Subscribe to Blog RSS feed
RSS | Atom | E-mail

Auditing Web-Applications - Part 2

Part 1 <<

Logfile inspection

When the audit-log is set up properly, the next step is inspection of what happens to your web-application. The bad thing regarding mod_security's audit-log is that it is not single line-oriented as every audit-event spreads beyond several lines of text. One way of dealing with that is grepping through the file by means of "grep" or do full-text search using your favorite viewer (vi, less).

But it becomes feasible when you want to pick single events of even a whole session from the audit-log - perhaps for later reviewing it or a separate detailed analysis. I wrote a java tool which makes these tasks a little easier - the AuditViewer. (Screen shot)

You can simple run it on Windows by double-click the jar-archive or run 

   java -Xmx1024M -jar AuditViewer-0.1.jar
in your shell (works the same on Linux and OS X). The AuditViewer provides easy access to an audit-logfile as provided by the mod_security audit-engine. You can read an audit-file, mark a set of events and then save them to a different file. You can even load several files one after another.

AuditViewer's features

Besides displaying a list of audit-events the audit-logger provides the following features:
  • Filtering of events
  • SessionView
  • Request Re-injection
  • Live View on the Events

Filtering of events

The list of events can be limited to a user-defined selection. This is done using regular expressions similar to those used by mod_security. These expressions can be set on a number of different variables as those defined by mod_security. This is not complete and might need some improvement, but see the comments-sections for that ;-)

Session View

The AuditViewer provides a SessionView which shows the events that have been read grouped by a basic session-tracker. The tracker implements the session-view by grouping events using their ip-addresses and a session-time of 2 hours.
There are more sophisticated implementations of session-tracking algorithms planned, but due to lack of time this ip-based algorithm is the only one available right now.

Request Re-Injection

One of the advanced features of this AuditViewer is request-reinjection. If you made the audit-engine log full requests, that is you specified sections B and C in your SecAuditLogParts then you can double-click on an event and start to re-inject it into the web-server again. The re-inject dialog enables you to edit the request before sending it and it even computes the correct content-length if sending a POST request. You can also specify the ip-address of the server you want to send the request to.

The Re-injection-feature is especially interesting when using the AuditViewer in combination with the rule-set editor REMO as it makes debugging/testing of rule-sets a little easier.

Live-View on events

In combination with another java tool I wrote, the AuditViewer can be used to view audit-events on a remote machine using a secure SSL-connection. This tools is called AuditLogger. AuditLogger can be started on the web-server and reads an audit-log file. As an AuditViewer-client connects, it starts to send a copy of each newly read audit-event to the client. It also offers a basic authentication sheme using login/password. To start the AuditLogger as a event-provider you need to issue (all in one line): 
   # java -Xmx1024M -cp AuditLogger-0.4.4.jar org.jwall.AuditServer \
          --users /path/to/users-file /path/to/your/audit-log-file
The users-file consists of single entries that are 
<user1>=<password1>
<user2>=<password2>
Currently only plain-text passwords are available, but implementation of md5-based password-files is in progress. The server-process listens on port 10001 by default, but you can specify a different port using --port <PORT-NUMBER>.
The server uses a built-in ssl-certificate. Future versions will provide support for self-created external certificates and most possibly client-authentication by ssl-certificates.

Comments/Feedback

This tools is still in development. Though carefully tested, I cannot give any warranty if it brakes anything or crashes your system ;-)
As with any software I do not expect it to be free of bugs and appreciate any bug-reports/feature requests/comments on the tool.